Skip to content

azu/ejs-injection

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
output.html
output.html
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
template_file.ejs
template_file.ejs
 
 

Repository files navigation

ejs is not for user defined template

EJS is not safe for user defined template. You shoud not use ejs as a user-defined template.

Payload:

<%= console.log(process.env); %>

Run:

$ ejs ./template_file.ejs -o ./output.html

{
  ...Your environment variables
}

ejs allow to run any JavaScript code in template by design.

If used incorrectly, It will cause RCE(Remote Code Execution) vulnerbility. It is not ejs problem, It is your application problem.

references

About

ejs is not for user defined template

Topics

nodejs template security example vulnerability

Resources

Readme

Code of conduct

Code of conduct

Security policy

Security policy
Activity

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Languages